I will frequently see duplicate rules. If you have two rules matching on the same thing, even if the rules themselves are somewhat different, you can have two emails sent. If you look for incidents for the original email are there two?
I will also see duplicate incidents if a Email Gateway is not excluded in the Monitor capture filters (if that is in use). We don't need to see an incident once from the Prevent and once from the Monitor.